Senate cybersecurity measure worries contractors

Critical Pentagon programs to protect classified data from cyberattackers and state-sponsored spies hang in the balance as lawmakers begin to confer on competing House and Senate defense authorization bills.

The two chambers approved measures that make different cybersecurity requirements for companies that sell software to the government, and they set forth competing visions for how federal contractors should respond if their networks have been breached. In addition, the House and Senate specify different roles for the Defense Department to conduct clandestine operations in cyberspace.

Text Size

-

+

reset

Lawmakers must untangle these thorny issues in a short time frame if they hope to finish work on the bill this year. On cybersecurity, the outcomes matter to tech companies and contractors with big bucks on the line, as well as to the Obama administration, which has raised red flags on how both bills approach the nation’s digital defenses.

Most of the fights on the horizon originate from late changes made to the Senate’s defense bill, which passed last week on a 98-0 vote.

One of the most controversial amendments, backed by chamber defense leaders, would require a broad swath of contractors to report to the Pentagon in the event of a successful cyberintrusion.

The problem: DOD already has a narrow, voluntary program — known as the defense-industrial base pilot — meant to encourage contractors in the DIB to report cyberintrusions while sharing threat data with their federal partners. The fear is the Senate’s proposed mandatory program would cover more entities and possibly create another more costly reporting system, creating something of a conflict between the two.

Lawmakers say the change is critical. “It’s so obvious that if a defense contractor with classified information has their networks penetrated and attacked, then the government has to know about that,” said Sen. Carl Levin (D-Mich.), who authored the amendment, after the Senate bill passed.

“I just think it’s very, very clear in those circumstances that we have an obligation to know if contractors have classified information and that we are paying for that contractor’s work,” he said.

But the tech sector has plenty of doubts.

Trey Hodgkins, senior vice president of Global Public Sector at TechAmerica, told POLITICO many companies involved in the current DIB pilot are likely to try to fight the change, given they’ve “all invested a lot of time and effort in this process” at the regulatory level. His group wrote to Levin and Sen. John McCain (R-Ariz.) on Thursday to highlight a litany of issues with the amendment, including the fact it had never been vetted before a committee.